Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

user-keyring(7) [linux man page]

USER-KEYRING(7) 					     Linux Programmer's Manual						   USER-KEYRING(7)

NAME

       user-keyring - per-user keyring

DESCRIPTION

       The  user  keyring  is  a keyring used to anchor keys on behalf of a user.  Each UID the kernel deals with has its own user keyring that is
       shared by all processes with that UID.  The user keyring has a name (description) of the form _uid.<UID> where <UID> is the user ID of  the
       corresponding user.

       The  user  keyring  is associated with the record that the kernel maintains for the UID.  It comes into existence upon the first attempt to
       access either the user keyring, the user-session-keyring(7), or the session-keyring(7).	The keyring remains pinned in existence so long as
       there  are  processes  running  with that real UID or files opened by those processes remain open.  (The keyring can also be pinned indefi-
       nitely by linking it into another keyring.)

       Typically, the user keyring is created by pam_keyinit(8) when a user logs in.

       The user keyring is not searched by default by request_key(2).  When pam_keyinit(8) creates a session keyring, it adds to it a link to  the
       user keyring so that the user keyring will be searched when the session keyring is.

       A  special  serial  number  value,  KEY_SPEC_USER_KEYRING,  is  defined that can be used in lieu of the actual serial number of the calling
       process's user keyring.

       From the keyctl(1) utility, '@u' can be used instead of a numeric key ID in much the same way.

       User keyrings are independent of clone(2), fork(2), vfork(2), execve(2), and _exit(2) excepting that the keyring is destroyed when the  UID
       record is destroyed when the last process pinning it exits.

       If  it  is  necessary  for  a  key associated with a user to exist beyond the UID record being garbage collected--for example, for use by a
       cron(8) script--then the persistent-keyring(7) should be used instead.

       If a user keyring does not exist when it is accessed, it will be created.

SEE ALSO

       keyctl(1), keyctl(3), keyrings(7), persistent-keyring(7), process-keyring(7), session-keyring(7), thread-keyring(7),
       user-session-keyring(7), pam_keyinit(8)

Linux								    2017-03-13							   USER-KEYRING(7)

Check Out this Related Man Page

SESSION-KEYRING(7)					     Linux Programmer's Manual						SESSION-KEYRING(7)

NAME

       session-keyring - session shared process keyring

DESCRIPTION

       The session keyring is a keyring used to anchor keys on behalf of a process.  It is typically created by pam_keyinit(8) when a user logs in
       and a link will be added that refers to the user-keyring(7).  Optionally, PAM may revoke the session keyring on logout.	(In  typical  con-
       figurations, PAM does do this revocation.)  The session keyring has the name (description) _ses.

       A  special  serial  number  value, KEY_SPEC_SESSION_KEYRING, is defined that can be used in lieu of the actual serial number of the calling
       process's session keyring.

       From the keyctl(1) utility, '@s' can be used instead of a numeric key ID in much the same way.

       A process's session keyring is inherited across clone(2), fork(2), and vfork(2).  The session keyring is preserved across  execve(2),  even
       when the executable is set-user-ID or set-group-ID or has capabilities.	The session keyring is destroyed when the last process that refers
       to it exits.

       If a process doesn't have a session keyring when it is accessed, then, under certain circumstances,  the  user-session-keyring(7)  will	be
       attached as the session keyring and under others a new session keyring will be created.	(See user-session-keyring(7) for further details.)

   Special operations
       The keyutils library provides the following special operations for manipulating session keyrings:

       keyctl_join_session_keyring(3)
	      This  operation allows the caller to change the session keyring that it subscribes to.  The caller can join an existing keyring with
	      a specified name (description), create a new keyring with a given name, or ask the  kernel  to  create  a  new  "anonymous"  session
	      keyring with the name "_ses".  (This function is an interface to the keyctl(2) KEYCTL_JOIN_SESSION_KEYRING operation.)

       keyctl_session_to_parent(3)
	      This operation allows the caller to make the parent process's session keyring to the same as its own.  For this to succeed, the par-
	      ent process must have identical security attributes and must be single threaded.	(This function is an interface	to  the  keyctl(2)
	      KEYCTL_SESSION_TO_PARENT operation.)

       These operations are also exposed through the keyctl(1) utility as:

	   keyctl session
	   keyctl session - [<prog> <arg1> <arg2> ...]
	   keyctl session <name> [<prog> <arg1> <arg2> ...]

       and:

	   keyctl new_session

SEE ALSO

       keyctl(1), keyctl(3), keyctl_join_session_keyring(3), keyctl_session_to_parent(3), keyrings(7), persistent-keyring(7), process-keyring(7),
       thread-keyring(7), user-keyring(7), user-session-keyring(7), pam_keyinit(8)

Linux								    2017-09-15							SESSION-KEYRING(7)
Man Page